Handling User-Uploaded HTML5 Content (Replacing Flash)

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Post Reply
User avatar
Haravikk
Registered User
Posts: 261
Joined: Sat Nov 02, 2002 4:42 pm

Handling User-Uploaded HTML5 Content (Replacing Flash)

Post by Haravikk » Wed May 25, 2016 1:31 pm

So I currently have a message board which has a lot of uploaded Flash files, but with Flash generally on the decline I'm looking towards the replacements that are available.

The big advantage of Flash for a message board is that it's a single self-contained file that can easily be embedded or downloaded as preferred.

However, the main replacement going forward seems likely to be HTML5 bundles of some kind, with an HTML page (or pages), Javascript, plus images and other resources, and I'm at a bit of a loss as to how I should handle these.

Of course I can just accept .zip and other compressed formats, but these only work for users to download and run locally, whereas I'd like to retain the ability to embed content, and do-so in a secure manner.


I guess I'm wondering if anyone has found another way to handle it? I could expand the uploaded archive into a folder, but this seems like it will require a sub-domain (which I already have, and I'm investigating per-user sub-domains as well) to add restrictions (e.g- no PHP support enabled), but may also require sanitising Javascript, for example to ensure cookies are limited to the sub-domain they're available on, remove eval (which I have been conditioned to read as "evil" anyway).

Seems like whatever I do it's probably not going to be straightforward! :D

User avatar
Arty
Former Team Member
Posts: 16654
Joined: Wed Mar 06, 2002 2:36 pm
Name: Vjacheslav Trushkin
Contact:

Re: Handling User-Uploaded HTML5 Content (Replacing Flash)

Post by Arty » Wed May 25, 2016 4:11 pm

HTML5 by itself doesn't add much. Its just a bunch of new tags. To replace Flash stuff you need combination of modern HTML, CSS and JavaScript.

Inserting HTML could potentially be dangerous, so its not a good idea. However neither is using Flash, which because of massive amounts of security issues that can affect your operating system, is far more dangerous.

Inserting CSS could also be potentially dangerous, but it can't be used for much more than harmless pranks. So allowing it is somewhat ok if you trust your users.

Allowing to insert JavaScript is very dangerous. It could be used to steal sessions, log login details, create posts on your behalf and other nasty stuff.

So basically its not a good idea. But neither is allowing Flash.

User avatar
Haravikk
Registered User
Posts: 261
Joined: Sat Nov 02, 2002 4:42 pm

Re: Handling User-Uploaded HTML5 Content (Replacing Flash)

Post by Haravikk » Wed May 25, 2016 5:20 pm

Arty wrote:its not a good idea. However neither is using Flash, which because of massive amounts of security issues that can affect your operating system, is far more dangerous.
That's only an issue for people viewing the Flash files; my forum moderates uploaded Flash files and I have ClamAV scanning uploaded files for known exploits at least. The site itself is never in any danger, as the files are just data otherwise.

For making simple, portable games and animations though there's not really any alternative, and since that's what the forum is about… don't exactly have a choice ;)
Arty wrote:Inserting CSS could also be potentially dangerous, but it can't be used for much more than harmless pranks. So allowing it is somewhat ok if you trust your users.
Can it do much outside of an iframe? I was thinking of hosting the CSS/Javascript/HTML on a different sub-domain and using an iframe to embed it, this should limit a lot of the potential for abuse, plus a sub-domain lets me set different rules for nginx (so if a user tried to upload a PHP file as part of the bundle, it wouldn't be executable).
Arty wrote:Allowing to insert JavaScript is very dangerous. It could be used to steal sessions, log login details, create posts on your behalf and other nasty stuff.
This is my main concern; stealing of login-credentials via session cookies is the main risk I think, since Javascript would still be able to grab cookies for the parent domain, i.e- if the uploads are to files.example.org, then they have access to cookies for example.org.

I'm not 100% certain if Javascript can access other sub-domains though, for example if Javascript hosted at files.example.org could access cookies for forums.example.org? Even if they do, I may have to sanitise the Javascript code to force them to use a specific domain, i.e- look for calls to document.cookie and other methods and force them to include a domain of files.example.org, plus disallow workarounds like eval.

Either that or maybe somehow remove all cookie access from Javascript and replace it with a custom function call that can only set cookies for the domain I choose? Not sure what the best option is here.
Arty wrote:So basically its not a good idea. But neither is allowing Flash.
Thanks for the advice, but the forum's purpose is the creation of these types of content, so not supporting it isn't really much of a choice ;)

User avatar
3Di
Registered User
Posts: 12946
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Handling User-Uploaded HTML5 Content (Replacing Flash)

Post by 3Di » Wed May 25, 2016 6:45 pm

FWIW there is a topic that started about one year ago, related to this.

the resume of everything there, feel free to have a look I am just linking you to.
viewtopic.php?p=14371496#p14371496
Want to compensate me for my interest? Donate
Please PM me only to request paid works. Thx.
Extensions, Scripts, MOD porting, Update/Upgrades
My development's activity º PhpStorm's proud user

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: No registered users and 32 guests